[clemnt]

HF's CEO here. The malicious user has been identified, banned and the orgs have been restored. Sorry for the inconvenience.

[more_corn]

Doesn’t haveibeenpwned offer a service where you can check a password hash against known pwned passwords? Maybe it would be possible to proactively prevent use of previously pwned passwords (apologies for the accidental alliteration.)